Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
460
Views
0
Helpful
6
Replies

VLAN Routing Through a Cisco ASA

gsnyder0111
Level 1
Level 1

‎04-24-2015 02:39 PM - edited ‎03-11-2019 10:50 PM

We are setting up a new network using a Cisco 2960-X switch through a Cisco ASA 5525 to get to the Internet.  The Cisco 2960-X is set up with  VLANS and the interface with subinterfaces have been created on the Cisco ASA.  As far as we can tell we are set up correctly on the switch side.  We can connect (ping) Cisco ASA interface and subinterface IP addresses from the switch and we can connect (ping) the subinterface IP on the Cisco ASA from a workstation (subinterface for the VLAN only).

We are unable to connect to the default gateway (external connection), or any other port on the Cisco ASA from the new network.  We suspect we need to set up static NATing but having difficulty figuring out what NAT rules we need to create.  Our ASA is running version 9.1 and most of the information we have found on-line is for older versions as the NAT commands have changed considerably.

This diagram show approx. how we are set up.

What do we need to do to establish Internet connectivity from a VLAN through the Cisco ASA?

Labels:
0 Helpful
6 Replies 6

Andre Neethling
Level 4
Level 4

‎04-24-2015 03:08 PM

You need to create a trunk link between the switch and the ASA. Set the gateway of the devices to the VLAN subinterfaces on the ASA.Then you need to set up NAT. What are you using to manage the ASA, CLI or ASDM? Please add the switch and ASA configs if you need more assistance? 

0 Helpful

gsnyder0111
Level 1
Level 1
In response to Andre Neethling

‎04-24-2015 03:15 PM

Andre,

Thanks for replying.  We have set up the trunk link, subinterfaces, and gateways.  We have been unable to get the NAT configuration to work.  We are able to use both the CLI and ASDM.

 

Gene

0 Helpful

Andre Neethling
Level 4
Level 4
In response to gsnyder0111

‎04-24-2015 03:17 PM

Can you post your switch and ASA config then?

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Andre Neethling

‎04-24-2015 05:58 PM

Hi Andre,

Checking the Topology on this issue , i see that we are using both the Physical Interface and have created sub interfaces on them.

I would not recommend that as the best practice.

Secondly , are you able to ping the ASA Sub Interfaces from the hosts in the separate VLAN's ? If yes , what about the Public IP address:- 4.2.2.1 for ex

If yes , post the relevant configuration and packet trace for the traffic outbound to the internet ?

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

Thanks and Regards,

Vibhor Amrodia

0 Helpful

gsnyder0111
Level 1
Level 1
In response to Vibhor Amrodia

‎04-27-2015 06:02 AM

Andre and Vibhor,

We are unable to reach the public our exterior facing IP addresses from the Cisco 2960-X.  The traceroutes either show only one hop, or indefinite hops with all asterisks.  We would have to greatly sanitize the two configurations to post them.

We are certain that it is the static NAT that is the problem.  There are a lot of examples using the old command, but not for the new command (version 9.1 and later).

Gene

0 Helpful

Andre Neethling
Level 4
Level 4
In response to gsnyder0111

‎04-27-2015 09:04 AM

Hi. Can you please post the configs? As Vibhor said. It's not best practice to use the physical interface as well as subinterfaces. Using traceroute may not work because by default the ASA does not inspect ICMP traffic, unless you have enabled it under your global policy map. Seeing the configs will help in troubleshooting the problem. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card